fix(ci): prevent truncating the upgrade proposal with tee #5101
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Linters and SAST | |
on: | |
push: | |
tags: | |
- "*" | |
merge_group: | |
pull_request: | |
types: | |
- opened | |
- edited | |
- synchronize | |
concurrency: | |
group: linters-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
gosec: | |
runs-on: ubuntu-22.04 | |
env: | |
GO111MODULE: on | |
steps: | |
- name: Checkout Source | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: '1.20' | |
- name: Run Gosec Security Scanner | |
uses: securego/gosec@v2.19.0 | |
with: | |
args: ./... | |
gosec-cosmos: | |
runs-on: ubuntu-22.04 | |
env: | |
GO111MODULE: on | |
steps: | |
- name: Checkout Source | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: '1.20' | |
- name: Run Cosmos Gosec Security Scanner | |
run: make lint-cosmos-gosec | |
lint: | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 15 | |
env: | |
GO111MODULE: on | |
steps: | |
- name: Checkout Source | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: '1.20' | |
- name: Run golangci-lint | |
uses: golangci/golangci-lint-action@v6 | |
with: | |
version: v1.59 | |
skip-cache: true | |
nosec_alert: | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 10 | |
env: | |
GO111MODULE: on | |
steps: | |
- name: Checkout Source | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Getting files updated in the PR | |
id: changed-files | |
uses: tj-actions/changed-files@v41 | |
with: | |
base_sha: ${{ github.event.pull_request.base.sha }} | |
- name: List all changed files | |
run: | | |
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
echo "$file was changed" | |
done | |
- name: Report nosec usage | |
run: | | |
nosec_list=() | |
nosec_detected=0 | |
echo "Changed files: ${{ steps.changed-files.outputs.all_changed_files }}" | |
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
# Skip this workflow file | |
if [ "$file" == ".github/workflows/sast-linters.yml" ] || [ "$file" == "changelog.md" ]; then | |
echo "Skipping nosec check for $file" | |
continue | |
fi | |
# Only consider additions of "nosec", marked by '+' | |
if git diff ${{ github.event.pull_request.base.sha }} $file | grep -q '^+.*nosec'; then | |
echo "nosec detected in $file" | |
nosec_list+=("$file,") | |
nosec_detected=1 | |
else | |
echo "nosec not detected in $file" | |
fi | |
done | |
nosec_list_string="${nosec_list[@]}" | |
nosec_list_string="${nosec_list_string%,}" | |
echo "nosec_files=$nosec_list_string" >> $GITHUB_ENV | |
echo "nosec_detected=$nosec_detected" >> $GITHUB_ENV | |
- name: Report nosec uses | |
uses: mshick/add-pr-comment@v2 | |
if: env.nosec_detected == 1 | |
with: | |
message: | | |
*!!!WARNING!!!* | |
`nosec` detected in the following files: ${{ env.nosec_files }} | |
Be very careful about using `#nosec` in code. It can be a quick way to suppress security warnings and move forward with development, it should be employed with caution. Suppressing warnings with #nosec can hide potentially serious vulnerabilities. Only use #nosec when you're absolutely certain that the security issue is either a false positive or has been mitigated in another way. | |
Only suppress a single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the #nosec annotation, e.g: /* #nosec G401 */ or //#nosec G201 G202 G203 | |
Broad `#nosec` annotations should be avoided, as they can hide other vulnerabilities. **The CI will block you from merging this PR until you remove `#nosec` annotations that do not target specific rules**. | |
Pay extra attention to the way `#nosec` is being used in the files listed above. | |
- name: Add Label | |
uses: actions/github-script@v6 | |
if: env.nosec_detected == 1 | |
with: | |
script: | | |
github.rest.issues.addLabels({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
labels: ["nosec"] | |
}) | |
- name: Check for '#nosec' without a specific rule | |
run: | | |
DIFF=$(git diff ${{ github.event.pull_request.base.sha }}) | |
echo "$DIFF" | grep -P '#nosec(?!(\sG\d{3}))(?![^\s\t])([\s\t]*|$)' && echo "nosec without specified rule found!" && exit 1 || exit 0 |